Pentagon: Fake tech is a recurrent problem

Counterfeit materials are the most frequently encountered danger to the supply chain that delivers U.S. military systems, a Defense Department official said Tuesday.

Because technology often touches many hands in many foreign countries before reaching a contractor, malicious actors or scammers have multiple opportunities to taint materials, government officials have found. Federal auditors also have just released two reports citing the vulnerability of national security systems to the installation of malicious software and fake parts. Pentagon officials on Tuesday confirmed to lawmakers the existence of those threats.

In the Defense supply chain, "the most common occurring threat would be in the realm of the counterfeit issue, because of its prevalence," said Mitchell Komaroff, Defense's director of trusted mission systems and networks.

On Monday, the Government Accountability Office reported that online vendors in China are marketing to the Pentagon suspected counterfeit electronic components. After ordering military-grade parts from online portals, government investigators masquerading behind a fictitious company received 40 price quotes for bogus part numbers -- all from vendors located in China.

To guard against compromised technology, which potentially could fail or harbor malware, acquisition specialists are forging new relationships with the intelligence community, Komaroff said. The Defense Intelligence Agency has conducted about 500 analyses for military purchasing programs, he said during a House Energy and Commerce Subcommittee on Oversight and Investigations hearing. A robust trusted systems and networks strategy for limiting supply risks is expected to be operational by fiscal 2016, he added.

GAO's online shopping experiment focused on defense components that are hard to find, including those used in weapons systems. When the auditors asked vendors for invalid part numbers that GAO had concocted, the firms sent the auditors bogus parts labeled with the invalid numbers. In other words, the Chinese suppliers offered to sell parts that do not technically exist. The trial ran from August through February.

Separately, a 2010 Commerce Department survey found that of 387 defense contractors, 39 percent had encountered counterfeit electronics during a four-year period. And those military suppliers witnessed a more than 140 percent increase in incidents during that period.

The Energy Department, guardian of the U.S. nuclear stockpile, faces some of the same problems as Defense but has been more negligent in preventing them, auditors noted in a separate report released Friday. During Tuesday's hearing, lawmakers bashed Energy officials over the findings.

Energy's Chief Information Security Officer Gil Vega responded, "there is some room in the Department of Energy to be more explicit about the policy relating to supply chain management, and the processes and the systems to monitor the implementation of those processes."

Energy, along with the Homeland Security and Justice departments, has not started monitoring supply chain protections, the auditors found.

Vega said he is "absolutely" aware of threats to Energy's supply chain, specifically the coordinated efforts by adversaries whose capabilities are world class. But, during the eight months he has been on the job, he was not made aware of any threats that had been realized, Vega said.

Energy is writing guidance for its suppliers on how to manage risks but could not provide lawmakers with a date for its completion.

A nation state is widely believed to be behind a 2011 prolonged and, initially undetected, hack into Energy's Oak Ridge National Laboratory. Vega said his department is coordinating with the White House on recent cyber incidents at its national labs.

Homeland Security officials in July revealed that components in the U.S. supply chain have been embedded with security flaws. But they did not specify whether those defects were planted intentionally as "backdoors" -- or code enabling outsiders to manipulate machines remotely.